Feuilles de chauffage de l ' encre de Kube
- :material-content-copy: **[Copier sur le presse-papiers] (__LINK_0__)**
- **[Télécharger PDF](__LINK_0__)**
Aperçu général
Kube-bench est un outil de sécurité qui vérifie si Kubernetes est déployé en toute sécurité en exécutant les vérifications documentées dans le CIS Kubernetes Benchmark. Il s'agit d'un outil essentiel pour assurer la conformité de Kubernetes à la sécurité des clusters et identifier les erreurs de sécurité potentielles.
Caractéristiques principales
- ** Conformité aux critères de référence du SIC** : Contrôles automatisés contre CIS Kubernetes Benchmark
- Multiples Kubernetes Distributions: Prise en charge de diverses distributions K8s et fournisseurs de cloud
- Rapports complets: rapports détaillés assortis de directives en matière d'assainissement
- I/CD Intégration: Intégration facile dans les pipelines de sécurité
- ** Configurations personnalisées** : prise en charge des configurations de référence personnalisées
- ** Formats de sortie multiples**: formats JSON, YAML et de sortie texte
Installation
Installation binaire
# Download latest release
curl -L https://github.com/aquasecurity/kube-bench/releases/latest/download/kube-bench_$(uname -s)_$(uname -m).tar.gz -o kube-bench.tar.gz
tar -xzf kube-bench.tar.gz
sudo mv kube-bench /usr/local/bin/
# Make executable
sudo chmod +x /usr/local/bin/kube-bench
# Verify installation
kube-bench version
Installation du gestionnaire de paquets
# Homebrew (macOS/Linux)
brew install kube-bench
# Snap (Linux)
sudo snap install kube-bench
# APT (Ubuntu/Debian)
curl -s https://aquasecurity.github.io/kube-bench/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/kube-bench/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/kube-bench.list
sudo apt-get update
sudo apt-get install kube-bench
```_
### Installation du conteneur
```bash
# Pull Docker image
docker pull aquasec/kube-bench:latest
# Run as container
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
./kube-bench
```_
### Installation de travail de Kubernetes
```yaml
# kube-bench-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
spec:
hostPID: true
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
containers:
- name: kube-bench
image: aquasec/kube-bench:latest
command: ["kube-bench"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: var-lib-kube-scheduler
mountPath: /var/lib/kube-scheduler
readOnly: true
- name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: lib-systemd
mountPath: /lib/systemd/
readOnly: true
- name: srv-kubernetes
mountPath: /srv/kubernetes/
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: var-lib-kube-scheduler
hostPath:
path: "/var/lib/kube-scheduler"
- name: var-lib-kube-controller-manager
hostPath:
path: "/var/lib/kube-controller-manager"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: lib-systemd
hostPath:
path: "/lib/systemd"
- name: srv-kubernetes
hostPath:
path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
Utilisation de base
Lancer des balayages de base
# Run default scan
kube-bench
# Run specific benchmark version
kube-bench --benchmark cis-1.6
# Run for specific Kubernetes version
kube-bench --version 1.21
# Run with specific configuration
kube-bench --config-dir /path/to/config
Composantes spécifiques à la cible
# Scan master components only
kube-bench master
# Scan node components only
kube-bench node
# Scan etcd
kube-bench etcd
# Scan control plane
kube-bench controlplane
# Scan managed services (EKS, GKE, AKS)
kube-bench --benchmark eks-1.0.1
kube-bench --benchmark gke-1.0
kube-bench --benchmark aks-1.0
Formats de sortie
# JSON output
kube-bench --json
# YAML output
kube-bench --outputfile results.yaml --format yaml
# JUnit format
kube-bench --junit
# ASFF format (AWS Security Finding Format)
kube-bench --asff
# Save to file
kube-bench --outputfile results.json --json
Utilisation spécifique au fournisseur de cloud
ÉKS Amazones
# Run EKS-specific benchmark
kube-bench --benchmark eks-1.0.1
# EKS with specific version
kube-bench --benchmark eks-1.0.1 --version eks-1.0.1
# Run as EKS job
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-eks.yaml
# Check job results
kubectl logs job/kube-bench
Google GKE
# Run GKE-specific benchmark
kube-bench --benchmark gke-1.0
# GKE with custom configuration
kube-bench --benchmark gke-1.0 --config-dir /opt/kube-bench/cfg/
# Run as GKE job
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-gke.yaml
AKS Azure
# Run AKS-specific benchmark
kube-bench --benchmark aks-1.0
# AKS with specific checks
kube-bench --benchmark aks-1.0 --check 1.1.1,1.1.2
# Run as AKS job
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-aks.yaml
OpenShift
# Run OpenShift-specific benchmark
kube-bench --benchmark rh-0.7
# OpenShift with custom config
kube-bench --benchmark rh-0.7 --config-dir /opt/kube-bench/cfg/
Configuration avancée
Fichiers de configuration personnalisés
# config.yaml
---
controls:
version: "cis-1.6"
id: 1
text: "Master Node Security Configuration"
type: "master"
groups:
- id: 1.1
text: "Master Node Configuration Files"
checks:
- id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive"
audit: "stat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml"
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example, chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml
scored: true
Création de repères personnalisés
# Create custom benchmark directory
mkdir -p /opt/kube-bench/cfg/custom
# Create custom configuration
cat > /opt/kube-bench/cfg/custom/config.yaml << 'EOF'
---
controls:
version: "custom-1.0"
id: 1
text: "Custom Security Configuration"
type: "master"
groups:
- id: 1.1
text: "Custom Configuration Files"
checks:
- id: 1.1.1
text: "Custom security check"
audit: "custom-audit-command"
tests:
test_items:
- flag: "expected-value"
compare:
op: eq
value: "expected-value"
remediation: "Custom remediation steps"
scored: true
EOF
# Run with custom benchmark
kube-bench --config-dir /opt/kube-bench/cfg/custom --benchmark custom-1.0
Intégration CI/CD
Actions GitHub
# .github/workflows/kube-bench.yml
name: Kube-bench Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 2 * * *' # Daily at 2 AM
jobs:
kube-bench-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up kubectl
uses: azure/setup-kubectl@v3
with:
version: 'latest'
- name: Configure kubectl
run: |
echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > kubeconfig
export KUBECONFIG=kubeconfig
- name: Run Kube-bench
run: |
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl wait --for=condition=complete job/kube-bench --timeout=300s
kubectl logs job/kube-bench > kube-bench-results.txt
- name: Parse results
run: |
# Extract summary
grep -E "(PASS|FAIL|WARN)" kube-bench-results.txt > summary.txt
# Count issues
FAIL_COUNT=$(grep -c "FAIL" summary.txt || echo "0")
WARN_COUNT=$(grep -c "WARN" summary.txt || echo "0")
echo "FAIL_COUNT=$FAIL_COUNT" >> $GITHUB_ENV
echo "WARN_COUNT=$WARN_COUNT" >> $GITHUB_ENV
- name: Upload results
uses: actions/upload-artifact@v3
with:
name: kube-bench-results
path: |
kube-bench-results.txt
summary.txt
- name: Comment PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const summary = fs.readFileSync('summary.txt', 'utf8');
const failCount = process.env.FAIL_COUNT;
const warnCount = process.env.WARN_COUNT;
const comment = `## Kube-bench Security Scan Results
- **Failed checks:** ${failCount}
- **Warning checks:** ${warnCount}
<details>
<summary>Detailed Results</summary>
\`\`\`
${summary}
\`\`\`
</details>`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
- name: Fail on critical issues
if: env.FAIL_COUNT > 0
run: |
echo "❌ Kube-bench found $FAIL_COUNT critical security issues"
exit 1
GitLab CI
# .gitlab-ci.yml
stages:
- security
kube-bench-scan:
stage: security
image: aquasec/kube-bench:latest
script:
- kube-bench --json > kube-bench-results.json
- kube-bench --junit > kube-bench-junit.xml
artifacts:
reports:
junit: kube-bench-junit.xml
paths:
- kube-bench-results.json
expire_in: 1 week
only:
- main
- merge_requests
kube-bench-k8s-job:
stage: security
image: bitnami/kubectl:latest
script:
- kubectl apply -f job.yaml
- kubectl wait --for=condition=complete job/kube-bench --timeout=300s
- kubectl logs job/kube-bench > kube-bench-k8s-results.txt
artifacts:
paths:
- kube-bench-k8s-results.txt
expire_in: 1 week
only:
- main
Jenkins Pipeline
// Jenkinsfile
pipeline {
agent any
environment {
KUBECONFIG = credentials('kubeconfig')
}
stages {
stage('Kube-bench Scan') {
steps {
script {
// Install kube-bench
sh '''
curl -L https://github.com/aquasecurity/kube-bench/releases/latest/download/kube-bench_Linux_x86_64.tar.gz -o kube-bench.tar.gz
tar -xzf kube-bench.tar.gz
chmod +x kube-bench
'''
// Run scan
sh '''
./kube-bench --json > kube-bench-results.json
./kube-bench --junit > kube-bench-junit.xml
'''
// Run as Kubernetes job
sh '''
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl wait --for=condition=complete job/kube-bench --timeout=300s
kubectl logs job/kube-bench > kube-bench-k8s-results.txt
'''
}
}
post {
always {
// Archive results
archiveArtifacts artifacts: 'kube-bench-*.json,kube-bench-*.xml,kube-bench-*.txt', fingerprint: true
// Publish JUnit results
junit 'kube-bench-junit.xml'
// Parse and report
script {
def results = readJSON file: 'kube-bench-results.json'
def failCount = 0
def warnCount = 0
results.Controls.each { control ->
control.Groups.each { group ->
group.Checks.each { check ->
if (check.State == 'FAIL') failCount++
if (check.State == 'WARN') warnCount++
}
}
}
echo "Kube-bench Results: ${failCount} failures, ${warnCount} warnings"
if (failCount > 0) {
currentBuild.result = 'UNSTABLE'
error("Kube-bench found ${failCount} critical security issues")
}
}
}
}
}
}
}
Scripts d'automatisation
Scénario de numérisation complet
#!/bin/bash
# comprehensive-kube-bench.sh
set -e
# Configuration
RESULTS_DIR="kube-bench-results"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
KUBECONFIG_PATH="${KUBECONFIG:-$HOME/.kube/config}"
# Create results directory
mkdir -p "$RESULTS_DIR"
echo "Starting comprehensive Kube-bench security scan..."
# Function to run scan and save results
run_scan() {
local scan_type="$1"
local benchmark="$2"
local output_file="$3"
echo "Running $scan_type scan with benchmark $benchmark..."
if [ "$scan_type" = "job" ]; then
# Run as Kubernetes job
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl wait --for=condition=complete job/kube-bench --timeout=300s
kubectl logs job/kube-bench > "$output_file"
kubectl delete job kube-bench
else
# Run locally
kube-bench --benchmark "$benchmark" --json > "$output_file"
fi
}
# Detect Kubernetes distribution
detect_k8s_distribution() {
if kubectl get nodes -o jsonpath='{.items[0].status.nodeInfo.providerID}' | grep -q "aws"; then
echo "eks"
elif kubectl get nodes -o jsonpath='{.items[0].status.nodeInfo.providerID}' | grep -q "gce"; then
echo "gke"
elif kubectl get nodes -o jsonpath='{.items[0].status.nodeInfo.providerID}' | grep -q "azure"; then
echo "aks"
else
echo "generic"
fi
}
# Main scanning logic
main() {
# Detect distribution
DISTRIBUTION=$(detect_k8s_distribution)
echo "Detected Kubernetes distribution: $DISTRIBUTION"
# Set benchmark based on distribution
case $DISTRIBUTION in
"eks")
BENCHMARK="eks-1.0.1"
;;
"gke")
BENCHMARK="gke-1.0"
;;
"aks")
BENCHMARK="aks-1.0"
;;
*)
BENCHMARK="cis-1.6"
;;
esac
# Run scans
run_scan "local" "$BENCHMARK" "$RESULTS_DIR/local-scan-$TIMESTAMP.json"
run_scan "job" "$BENCHMARK" "$RESULTS_DIR/job-scan-$TIMESTAMP.txt"
# Generate summary report
python3 << 'EOF'
import json
import sys
from datetime import datetime
def parse_json_results(file_path):
try:
with open(file_path, 'r') as f:
data = json.load(f)
return data
except:
return None
def generate_summary(data):
if not data or 'Controls' not in data:
return None
summary = {
'total_checks': 0,
'pass': 0,
'fail': 0,
'warn': 0,
'info': 0,
'controls': []
}
for control in data['Controls']:
control_summary = {
'id': control.get('id', 'Unknown'),
'text': control.get('text', 'Unknown'),
'pass': 0,
'fail': 0,
'warn': 0,
'info': 0
}
for group in control.get('Groups', []):
for check in group.get('Checks', []):
state = check.get('State', 'UNKNOWN')
summary['total_checks'] += 1
control_summary[state.lower()] += 1
summary[state.lower()] += 1
summary['controls'].append(control_summary)
return summary
# Parse results
json_file = f"kube-bench-results/local-scan-{sys.argv[1]}.json"
data = parse_json_results(json_file)
summary = generate_summary(data)
if summary:
print(f"\n=== Kube-bench Security Scan Summary ===")
print(f"Timestamp: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
print(f"Total Checks: {summary['total_checks']}")
print(f"✅ Pass: {summary['pass']}")
print(f"❌ Fail: {summary['fail']}")
print(f"⚠️ Warn: {summary['warn']}")
print(f"ℹ️ Info: {summary['info']}")
print(f"\nControl Breakdown:")
for control in summary['controls']:
print(f" {control['id']}: {control['text']}")
print(f" Pass: {control['pass']}, Fail: {control['fail']}, Warn: {control['warn']}, Info: {control['info']}")
# Calculate score
if summary['total_checks'] > 0:
score = (summary['pass'] / summary['total_checks']) * 100
print(f"\nSecurity Score: {score:.1f}%")
# Exit with error if critical issues found
if summary['fail'] > 0:
print(f"\n❌ Found {summary['fail']} critical security issues!")
sys.exit(1)
else:
print(f"\n✅ No critical security issues found!")
EOF
echo "Scan completed. Results saved in $RESULTS_DIR/"
}
# Run main function
main "$TIMESTAMP"
Scénario d'assainissement automatisé
#!/bin/bash
# kube-bench-remediation.sh
set -e
RESULTS_FILE="$1"
REMEDIATION_LOG="remediation-$(date +%Y%m%d_%H%M%S).log"
if [ -z "$RESULTS_FILE" ]; then
echo "Usage: $0 <kube-bench-results.json>"
exit 1
fi
echo "Starting automated remediation based on Kube-bench results..."
echo "Results file: $RESULTS_FILE"
echo "Remediation log: $REMEDIATION_LOG"
# Function to apply remediation
apply_remediation() {
local check_id="$1"
local remediation="$2"
echo "Applying remediation for check $check_id..." | tee -a "$REMEDIATION_LOG"
echo "Remediation: $remediation" | tee -a "$REMEDIATION_LOG"
case "$check_id" in
"1.1.1")
# Fix API server pod specification file permissions
echo "Fixing API server pod specification file permissions..." | tee -a "$REMEDIATION_LOG"
sudo chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml 2>&1 | tee -a "$REMEDIATION_LOG"
;;
"1.1.2")
# Fix API server pod specification file ownership
echo "Fixing API server pod specification file ownership..." | tee -a "$REMEDIATION_LOG"
sudo chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml 2>&1 | tee -a "$REMEDIATION_LOG"
;;
"1.2.1")
# Fix anonymous-auth setting
echo "Fixing anonymous-auth setting..." | tee -a "$REMEDIATION_LOG"
kubectl patch deployment kube-apiserver -n kube-system --type='merge' -p='{"spec":{"template":{"spec":{"containers":[{"name":"kube-apiserver","command":["kube-apiserver","--anonymous-auth=false"]}]}}}}' 2>&1 | tee -a "$REMEDIATION_LOG"
;;
*)
echo "No automated remediation available for check $check_id" | tee -a "$REMEDIATION_LOG"
echo "Manual remediation required: $remediation" | tee -a "$REMEDIATION_LOG"
;;
esac
}
# Parse JSON results and apply remediations
python3 << EOF
import json
import subprocess
import sys
def run_remediation(check_id, remediation):
try:
subprocess.run(['bash', '-c', f'apply_remediation "{check_id}" "{remediation}"'], check=True)
return True
except subprocess.CalledProcessError as e:
print(f"Failed to apply remediation for {check_id}: {e}")
return False
# Load results
with open('$RESULTS_FILE', 'r') as f:
data = json.load(f)
remediation_count = 0
success_count = 0
for control in data.get('Controls', []):
for group in control.get('Groups', []):
for check in group.get('Checks', []):
if check.get('State') == 'FAIL' and check.get('Remediation'):
check_id = check.get('ID', 'Unknown')
remediation = check.get('Remediation', '')
print(f"Attempting remediation for check {check_id}")
remediation_count += 1
if run_remediation(check_id, remediation):
success_count += 1
print(f"\nRemediation Summary:")
print(f"Total remediations attempted: {remediation_count}")
print(f"Successful remediations: {success_count}")
print(f"Failed remediations: {remediation_count - success_count}")
EOF
echo "Remediation completed. Check $REMEDIATION_LOG for details."
Script de suivi et d'alerte
#!/bin/bash
# kube-bench-monitor.sh
set -e
# Configuration
SLACK_WEBHOOK_URL="${SLACK_WEBHOOK_URL:-}"
EMAIL_RECIPIENTS="${EMAIL_RECIPIENTS:-}"
THRESHOLD_FAIL="${THRESHOLD_FAIL:-0}"
THRESHOLD_WARN="${THRESHOLD_WARN:-5}"
# Function to send Slack notification
send_slack_notification() {
local message="$1"
local color="$2"
if [ -n "$SLACK_WEBHOOK_URL" ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{
\"attachments\": [{
\"color\": \"$color\",
\"title\": \"Kube-bench Security Scan Results\",
\"text\": \"$message\",
\"footer\": \"Kube-bench Monitor\",
\"ts\": $(date +%s)
}]
}" \
"$SLACK_WEBHOOK_URL"
fi
}
# Function to send email notification
send_email_notification() {
local subject="$1"
local body="$2"
if [ -n "$EMAIL_RECIPIENTS" ]; then
echo "$body" | mail -s "$subject" "$EMAIL_RECIPIENTS"
fi
}
# Run kube-bench scan
echo "Running Kube-bench security scan..."
kube-bench --json > scan-results.json
# Parse results
python3 << 'EOF'
import json
import sys
import os
# Load results
with open('scan-results.json', 'r') as f:
data = json.load(f)
# Count issues
fail_count = 0
warn_count = 0
pass_count = 0
for control in data.get('Controls', []):
for group in control.get('Groups', []):
for check in group.get('Checks', []):
state = check.get('State', 'UNKNOWN')
if state == 'FAIL':
fail_count += 1
elif state == 'WARN':
warn_count += 1
elif state == 'PASS':
pass_count += 1
# Write summary to file
with open('scan-summary.txt', 'w') as f:
f.write(f"FAIL_COUNT={fail_count}\n")
f.write(f"WARN_COUNT={warn_count}\n")
f.write(f"PASS_COUNT={pass_count}\n")
print(f"Scan completed: {fail_count} failures, {warn_count} warnings, {pass_count} passes")
EOF
# Load summary
source scan-summary.txt
# Determine alert level
if [ "$FAIL_COUNT" -gt "$THRESHOLD_FAIL" ]; then
ALERT_LEVEL="critical"
COLOR="danger"
elif [ "$WARN_COUNT" -gt "$THRESHOLD_WARN" ]; then
ALERT_LEVEL="warning"
COLOR="warning"
else
ALERT_LEVEL="good"
COLOR="good"
fi
# Create notification message
MESSAGE="Kube-bench Security Scan Results:
• Failed checks: $FAIL_COUNT
• Warning checks: $WARN_COUNT
• Passed checks: $PASS_COUNT
• Alert level: $ALERT_LEVEL"
# Send notifications
send_slack_notification "$MESSAGE" "$COLOR"
send_email_notification "Kube-bench Security Scan - $ALERT_LEVEL" "$MESSAGE"
# Exit with appropriate code
if [ "$FAIL_COUNT" -gt "$THRESHOLD_FAIL" ]; then
echo "❌ Critical security issues found: $FAIL_COUNT failures"
exit 1
elif [ "$WARN_COUNT" -gt "$THRESHOLD_WARN" ]; then
echo "⚠️ Warning threshold exceeded: $WARN_COUNT warnings"
exit 2
else
echo "✅ Security scan passed"
exit 0
fi
Dépannage
Questions communes
# Permission issues
sudo kube-bench
# Missing configuration files
kube-bench --config-dir /opt/kube-bench/cfg/
# Kubernetes API access issues
export KUBECONFIG=/path/to/kubeconfig
kube-bench
# Version compatibility issues
kube-bench --version 1.21 --benchmark cis-1.6
# Debug mode
kube-bench --verbose
Validation de configuration
# Validate configuration syntax
kube-bench --config-dir /path/to/config --dry-run
# Check available benchmarks
kube-bench --list
# Verify installation
kube-bench version
kube-bench --help
Optimisation des performances
# Run specific checks only
kube-bench --check 1.1.1,1.1.2,1.2.1
# Skip time-consuming checks
kube-bench --skip 4.1.1,4.1.2
# Increase timeout
kube-bench --timeout 300s
Meilleures pratiques
Stratégie de numérisation de la sécurité
- ** Scannage régulier** : Planifier des scans quotidiens ou hebdomadaires
- ICI/CD Intégration: Inclure dans les pipelines de déploiement
- Établissement de base: Créer des bases de données de sécurité
- Suivi de l'assainissement: correctifs de suivi et de surveillance
- Rapport sur la conformité : produire des rapports sur la conformité
Gestion de la configuration
- Contrôle de la version: Stockez les configurations dans Git
- Particulier à l'environnement: Maintenir les configurations par environnement
- ** Benchmarks personnalisés**: Créer des benchmarks spécifiques à l'organisation
- Documentation: Configurations personnalisées des documents
- Test: Configurations d'essai avant déploiement
Lignes directrices pour l'automatisation
- Aménagement automatisé: Mettre en place une réparation automatique sûre
- Seuils d'alerte: Définir les niveaux d'alerte appropriés
- Surveiller l'intégration: Intégrer les systèmes de surveillance
- Rapport: produire des rapports pouvant donner lieu à une action
- ** Analyse des tendances**: suivre les tendances en matière de sécurité dans le temps
Cette feuille de triche complète de Kube-bench fournit tout ce qu'il faut pour scanner la conformité de sécurité Kubernetes professionnelle, de l'utilisation de base aux scénarios d'automatisation et d'intégration avancés.